This week, January 23-28, 2023, is International Data Privacy Week. “Privacy Day” began in the United States 15 years ago, when these issues were just coming on the radar of business and government leaders. Today, we can all agree, no matter where we’re located around the world, that issues of data collection, use, and protection are central to everything we do online.

 

Policymakers across the world have been working to tackle these issues as consumers rightly demand basic rights to their data. It’s something more and more leaders are paying attention to, including the Biden administration. Consumers expect that any entity that collects or stores their data has a responsibility to make sure that data is protected and secure. Consumers also expect accountability when it comes to protecting their security and privacy.

 

In response, last year alone, privacy laws were enacted all over the world – from Indonesia to Tanzania – and comprehensive privacy legislation is under consideration in India, Argentina, South Korea, The Philippines, and the United States.

 

Last year saw significant activity at the state level in the U.S. Connecticut and Utah joined Virginia (2021), Colorado (2021), and California (2020, 2018) in enacting comprehensive privacy laws, providing important privacy protections to consumers in these five states. As these new laws go into effect, by the end of this year more than 60 million Americans will be covered by laws giving them robust privacy protections. Among the protections provided by these laws are requirements for businesses to provide consumers with rights over their data. For example, consumers have the right to:
• Access their personal data and request that it be deleted by businesses;
• Consent prior to collection and use of sensitive personal data;
• Opt-out of targeted advertising; and
• Opt-out of profiling that produces legal and similar effects.

 

In addition, these laws require businesses to evaluate and mitigate risks associated with the collection and use of consumer data and also to enter into contracts with service providers to protect consumer data during processing, including how long they will keep the data.

 

Looking ahead in the U.S. as state houses resume their sessions, we anticipate activity in many states, including Indiana, Iowa, Kentucky, Massachusetts, Mississippi, New York, Oklahoma, Oregon, and Tennessee – all of which have legislatures and lawmakers that have vowed to make privacy a top priority in 2023.

 

While we appreciate the progress being made by the U.S. states, in the end, they are resulting in a complex patchwork of regulations and regulatory bodies, and only protecting a fraction of American consumers. As a result, we look forward to working with the new 118th Congress to craft national privacy legislation that provides strong, consistent consumer data protection through common-sense national privacy standards that preempt a state-by-state patchwork and protect consumers while enabling the beneficial use of data that consumers have come to expect. IBM has long supported national legislation to establish a consistent, uniform standard that provides all U.S. consumers with strong protections over their personal data.

 

We urge Congress to provide exclusive enforcement authority to the Federal Trade Commission (FTC) and state attorneys general, and to avoid provisions like a private right of action that create uncertainty among consumers and businesses without creating strong consumer protection and that undermine the predictability of a national privacy standard. Consumers, not plaintiff’s attorneys, should benefit most from a national privacy law.

 

Looking globally in 2023 and beyond, IBM will continue to work with data regulatory authorities who are implementing privacy regimes and countries considering privacy policies. We urge both those in the implementation phase and those who are starting to draft policies to find ways to differentiate between low-risk and high-risk data-driven business models through smart, targeted precision regulation. Those that rely on the use of data to improve a company’s operations or products and services, also known as internal data monetization or data valorization (“DV”), present a lower risk than those that rely on using consumer data as a revenue stream, also known as external data monetization (“EDM”).

 

The primary focus of oversight and regulation should be on pernicious practices that present a greater risk for the misuse of data, such as higher-risk practices by entities using EDM business models and the targeting of children. The collection and processing of personal information should be governed in accordance with the risk and purpose of the processing activity, and should enable the continued ability to share and use data in line with consumer expectations. Privacy-preserving, secure re-use of personal data for DV (e.g., cybersecurity, fair and robust AI application development or research, commercial research) should not be prohibited. Any regulation should also tailor guardrails to the identified risk.

 

Trust and transparency are critical for technology adoption and for driving innovation that promotes human progress. Throughout IBM’s more than 110-year history, we have applied our values and trust and transparency principles as we serve the evolving technology needs of our clients.

 

During this International Data Privacy Week, we pledge this continued commitment, and urge policymakers to continue to build trust in the digital economy.

 

 

 

– Christina Montgomery, Vice President & Chief Information Officer

Share this post: